Ensure Same Classification for Virtualised Environments
All shared server environments must be of the same classification to maintain security integrity.
Plain language
When different virtual environments share the same physical server, they all need to be classified at the same security level, like SECRET or TOP SECRET. This is crucial because if environments with different security levels mix, sensitive information could leak to less secure areas, risking exposure or even legal issues.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
S, TS
ISM last updated
Feb 2022
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Guideline
Guidelines for system hardeningSection
Virtualisation hardeningOfficial control statement
When using a software-based isolation mechanism to share a physical server's hardware for SECRET or TOP SECRET computing environments, the physical server and all computing environments are of the same classification and belong to the same security domain.
Why it matters
Mixing classifications risks data leakage; a less secure virtual environment could expose SECRET or TOP SECRET information, endangering national security.
Operational notes
Confirm the physical host and all VMs/containers are the same SECRET/TOP SECRET classification and security domain; block mixed-classification tenancy.
Implementation tips
- IT Managers should ensure all virtual environments on a physical server have the same security classification. They should coordinate with system administrators to confirm that no virtual machine (VM) is running at a lower classification level than required.
- System Owners must verify the classification of their environments regularly. They can do this by checking system documentation and confirming with IT staff that all VMs on shared hardware are aligned in classification.
- Security Officers need to audit all virtual environments on shared servers. Conduct checks by reviewing classification policies and confirming that they match the environment's settings.
- Procurement teams should only acquire servers capable of handling the highest classification level needed by any environment. They must coordinate with security officers to understand the classification requirements before purchasing.
- The IT Support team should maintain thorough records of each virtual environment's classification level. They need to regularly update this information in a centralized system accessible to authorized personnel.
Audit / evidence tips
-
Askserver classification documentation: Request documents that list the classification levels of all virtual environments on shared physical servers
Goodwill include a spreadsheet or database entry showing consistent classifications
-
Askpolicy compliance reports: Request a report that confirms the environments are being managed according to the classification policy
Goodwill include evidence of periodic reviews and management sign-offs
-
Asksystem change logs: Request logs that record any changes to virtual environments on these servers
Goodwill include detailed change records with timestamps and authorisation for modifications
-
Aska list of server security approvals: Request the documentation that shows which personnel have authorised the server classifications
Goodwill have clear records of approvals and certification details
-
Askincident response procedures: Check if there are specific procedures for incidents related to classification breaches
Goodwill include a documented process for identifying and resolving classification errors swiftly
Cross-framework mappings
How ISM-1461 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| extension Depends on (1) expand_less | ||
| Annex A 5.12 | ISM-1461 requires that when virtualisation is used to share a physical server for SECRET or TOP SECRET computing environments, the host a... | |
E8
| Control | Notes | Details |
|---|---|---|
| handshake Supports (1) expand_less | ||
| E8-RA-ML2.3 | ISM-1461 requires same-classification and same-security-domain co-tenancy when virtualising SECRET or TOP SECRET environments on shared p... | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.